Vault security hardening and role isolation

2026-02-26 23:46:11 -03:30 · 2017-02-08 21:41:36 +00:00
parent f4ec2d18e5
commit 245e05ce61
78 changed files with 1408 additions and 706 deletions
--- a/cluster.yml
+++ b/cluster.yml
@@ -28,14 +28,21 @@
  roles:
    - { role: kubernetes/preinstall, tags: preinstall }
    - { role: docker, tags: docker }
-    - { role: rkt, tags: rkt, when: "'rkt' in [ etcd_deployment_type, kubelet_deployment_type ]" }
+    - role: rkt
+      tags: rkt
+      when: "'rkt' in [etcd_deployment_type, kubelet_deployment_type, vault_deployment_type]"

- hosts: all
+- hosts: etcd:k8s-cluster:vault
  any_errors_fatal: true
  roles:
    - { role: vault, tags: vault, vault_bootstrap: true, when: "cert_management == 'vault'" }

- hosts: etcd:k8s-cluster
+- hosts: etcd:!k8s-cluster
+  any_errors_fatal: true
+  roles:
+    - { role: etcd, tags: etcd }
+
+- hosts: k8s-cluster
  any_errors_fatal: true
  roles:
    - { role: etcd, tags: etcd }